将内部网络10.1.1.0/24转换为公网地址200.1.1.1~200.1.1.10/28上网(访问Server3),并抓包分析
验证动态NAT是单向转换
搭建实验环境
实现此案例需要按照如下步骤进行。
acl 2000
rule 5 permit source 10.1.1.0 0.0.0.255
nat address-group 1 200.1.1.1 200.1.1.10
int g0/0/2
nat outbound 2000 address-group 1 no-pat
[Huawei]dis nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/2 2000 1 no-pat
--------------------------------------------------------------------------
Total : 1
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
PC1 ping Server3测试,内网能够访问外网,查看NAT转换表
[Huawei]dis nat session all
NAT Session Table Information:
Protocol : ICMP(1)
SrcAddr Vpn : 10.1.1.1
DestAddr Vpn : 200.1.1.13
Type Code IcmpId : 0 8 43982
NAT-Info
New SrcAddr : 200.1.1.1
New DestAddr : ----
New IcmpId : ----
Total : 1
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
在路由器G0/0/2口抓包,源地址已做转换,如 所示
Server3 ping PC1不通,说明动态NAT是单向的
